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(m) Method and apparatus for cryptographic processing in a communication network, using a single 
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(57) A device and related method for cryp- 
tographically processing data packets being 
forwarded in both directions between a com- 
munication network and a client interface, us- 
ing only a single cryptographic engine, but 
without any degradation in latency or 
throughput perfomnance, as compared with a 
device using two cryptographic engines. Out- 
bound data packets received from the client 
interface are immediately parsed to detemiine if 
cryptographic processing is required, and an 
appropriate portion of each packet may be 
cryptographically processed as the packet is 
received and stored in an outt>ound buffer 
memory, until forwarded onto the communi- 
cation network. Inbound data packets received 
from the communication network are not im- 
mediately parsed but are stored in an intK)und 
buffer memory until the client interface is avail- 
able. Parsing and any needed cryptographic 
processing of an intxxjnd packet is not perfor- 
med until the dient interface- becomes available 
and the packet is retrieved from the intxjund 
buffer memory for forwarding. Since the dient 
buffer cannot receive an inbound packet at the 
same time that it is sending an outbound pack- 
et, the single cryptographic engine serves to 
process traffic in both directions. 
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BACKGROUND OF THE INVENTION 

This invention relates generally to cryptographic 
processing in communication networks and. more 
particularly, to a cryptographic device located be- 
tween a user or "client" interface, which is usually a 
network of relatively local computers and other devic- 
es, and a communication network through which mes- 
sages are to be transmitted from the client interface 
to selected destinations. Since many other systems 
and dients have legitimate access to the communica- 
tion nehwork. the security of these transmissions is of- 
ten a significant issue. Various communication secur- 
ity protocols have been developed, for operation at 
different network protocol layers. The precise nature 
of these security protocols is not important to the pres- 
ent invention, which may be adapted to handle any 
desired security protocol. 

The principal types of security service with which 
the invention is concerned involve encryptbn for con- 
fidentiality and encryption few integrity. Confidentiality 
Is the protection of transmitted Information from dis- 
closure to unauthorized individuals or entities. For this 
purpose the information is transformed Into an en- 
crypted form before transmission, and is decrypted 
back to its "dear text" form upon receipt at the destin- 
ation. Integrity involves the detection of whether re- 
ceived data has been modified during transmission. 
For this purpose, the information need not be encrypt- 
ed, but merely subject to processing that results in the 
generation of a unique cryptographic checksum at 
each end of the transmission path. If the checksums 
do not match, the underlying data is assumed to have 
been modified. 

Ideally, cryptographic processing should be 
"transparent" to the user or client. Sending and receiv- 
ing messages could then take place without regard to 
the nature, or even the existence, of cryptographic 
processing, the use of which should not significantly 
increase the transmission time delay, referred to as 
"latency," or have any significant effect on the 
"throughput" or rate of flow of data between the client 
and a network. However, completely transparent 
cryptographic processing is both complex and costly, 
and there is a need for a less costly non transparent 
cryptographic processing technique, in which each 
participating device connected to a client interface 
assumes responsibility for some aspects of crypto- 
graphic processing. 

An important goal in designing cryptographic 
systems for network use is that the cryptographic 
processing should be located between the dient inter- 
face and the communication network, in such a man- 
ner that processing can be performed "on the fly" 
without significant delay, as data packets pass in eith- 
er direction. In some configurations, cryptographic 
processing may be integrated with a client interface 
controller, but cryptographic processing is still being 



performed in the communication path. Because data 
has to be processed in both directions through the 
cryptographic device, most prior implementations of 
such a device employ two independent cryptographic 
5 engines, to handle the eventuality of data flow in both 
directions simultaneously. The use of a single crypto- 
graphic engine is commonly believed to affect perfor- 
mance adversely, by the injection of processing de- 
lays in one direction or the other. 
10 Accordingly, there is still a need for improvement 

in the field of cryptographic processing for network 
communication, and in particular there is a need for 
a low-cost device, i.e. one needing only a single cryp- 
tographic engine, that does not suffer from the perfor- 
ms mance degradation of its predecessors. The present 
invention satisfies this need. 

SUMMARY OF THE INVENTION 

20 The present invention resides in a cryptographic 

processing device, and related method, providing a 
cryptographic interface between a communication 
network and a half-duplex dient interface, using only 
a single cryptographic engine, tnjt without any ad- 

25 verse effects on the throughput or latency in commu- 
nication, as compared with a device using two cryp- 
tographic engines. Briefly, and in general terms, the 
method of the invention comprises the steps of cryp- 
tographically processing, if necessary, outbound data 

30 packets as they are received from the client interface, 
cryptograph ically processing, if necessary, inbound 
data packets as they are transmitted onto the dient in- 
terface, and storing inbound and outbound data pack- 
ets in temporary buffer storage, as needed, before 

35 forwarding. In most cases, data packets will be imme- 
diately forwarded, in what is referred to as "cut- 
through" operation. Only a single cryptographic en- 
gine is needed because the client interface is of a type 
that cannot handle an outbound packet and an in- 

40 bound packet at the same time. 

Further steps of the method preferably include 
parsing each outbound data packet immediately prior 
to cryptographic processing, to determine whether 
processing is necessary and the type of processing to 

45 be performed, and parsing each inbound data packet 
immediately prior to cryptographic processing, to de- 
termine whether processing is necessary and the 
type of processing to be performed. The step of stor- 
ing inbound and outbound packets in temporary buf- 

50 fer storage indudes storing inbound packets in an in- 
bound buffer memory if the dient interface is unavail- 
able, and storing outbound packets in an outbound 
buffer if the communication network is unavailable. 
The method of the invention may also include the 

55 steps of receiving a loopback packet from the client in- 
terface, immediately parsing and cryptograph ically 
processing the loopback packet, if necessary, and 
storing the loopback packet in a loopback buffer 
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memory until the client interface is available. 
As described herein, a preferred emt>odiment of the 
method of the invention comprises the steps of receiv- 
- ing inbound data packets from a communication net- 
work, determining whether a client Interface is avail- 
able and, if not, storing each inbound data packet in 
an inbound buffer memory. Then, when the client in- 
terface becomes available, the method includes the 
step of retrieving a stored data packet Following this 
are the steps of parsing the packet to determine 
whether it should be cryptographically processed, 
cryptograph ically processing the data packet if nec- 
essary, and transmitting the packet onto the client in- 
terface. For traffic in the other direction, the method 
includes the steps of receiving outbound data packets 
from the client interface, parsing each packet as it is 
received from the client interface, cryptographically 
processing each packet received from the client inter- 
face if processing is determined to be necessary, and 
determining whether the communication network is 
available. !f the network is unavailable, the method in- 
cludes storing each outbound data packet and, when 
the network becomes available, retrieving the data 
packet The final step of the method is transmitting the 
outbound packet onto the communicatton network. 

A single cryptographic engine is sufficient to per- 
form both the steps of cryptographically processing 
the data, because cryptographic processing of out- 
bound packets is performed as the packets are re- 
ceived from the client interface, and processing of in- 
iKXjnd packets is performed as the packets are trans- 
mitted to the dient interface. Half-duplex operation of 
the client interface precludes the possibility of tK)th 
these functions being required at the same time. 

For processing loopback packets, the method in- 
cludes the steps of receiving a loopback packet from 
the client interface, immediately parsing and crypto- 
graphically processing the loopback packet, if neces- 
sary, and storing the loopback packet, if the client in- 
terface is unavaOable. 

In accordance with another aspect of the inven- 
tion, the method further comprises the steps of pars- 
ing a portion of an inbound data packet before the cli- 
ent interface becomes available, storing the parsed 
portion of the packet in a first-in-first-out buffer, to be 
ready to transmit, retrieving data from the first-in-first- 
out buffer when the dient interface becomes avail- 
able, and beginning transmission of the retrieved data 
onto the dient interface while addiHdnal data of the 
same packet is stored in and retrieved from the first- 
in-first-out buffer. Use of the first-in-first-out buffer 
ensures that transmission onto the dient interface be- 
gins without delay as soon as the interface becomes 
available. 

In terms of novel apparatus, the present invention 
includes, in its broadest terms, a single cryptographic 
engine, for cryptographically processing, if neces- 
sary, outbound data packets as they are received 



from the dient Interface and, if necessary, inbound 
data packets as they are as they are transmitted onto 
the dient interface, and buffer storage means for stor- 
ing, as needed, int>ound and outbound data packets 
5 before forwarding. As indicated above, a single cryp- 
tographic engine is sufficient for this purpose t>e- 
cause the dient interface cannot handle an outbound 
packet and an inbound packet at the same time. The 
apparatus of the invention may further indude means 
10 for storing a loopback data packet and may be de- 
fined in other more specific terms, comparable in 
scope with various forms of the method of the inven- 
tion outlined above. 

It will be appreciated from the foregoing that the 
15 present invention represents a significant advance in 
the field of cryptographic processing for use in net- 
work communication. In particular, the invention pro- 
vides for bidirectional cryptographic processing t>e- 
tween a communication network and a dient inter- 
20 face using a single engine, but without any degrada- 
tk)n in throughput or latency time as compared with a 
device using two cryptographic engines. 

BRIEF DESCRIPTION OF THE DRAWINGS 

25 

A more detailed understanding of the invention 
maybe had from the following description of preferred 
emt>odiments. given by way of example and to be 
read in conjunction with the accompanying drawing 
30 wherein: 

FIGURE 1 is a t>lock diagram showing the cryp- 
tographic device of an embodiment of the inven- 
tk)n, connected between a client interface and a 
communication network, and having only one 
35 cryptographic engine; 

FIG. 2 is a simplified block diagram similar to FIG. 
1;and 

FIG. 3 is a more detailed block diagram similar to 
FIGS. 1 and 2. 

40 

DESCRIPTION OF THE PREFERRED 
EMBODIMENT 

As shown in the drawings by way of example, the 
45 present invention is concerned with a device for cryp- 
tographically processing data packets passing in both 
directions between a dient interface and a communi- 
cation network. In the past it has been thought to be 
necessary to include at least two independently oper- 
50 ating cryptographic engines in the device, to efficient- 
ly handle traffic in both directions with a minimum of 
delay. Prior to the present invention, the use of a sin- 
gle cryptographic engine has t>een thought to neces- 
sarily result in some kind of performance degrada- 
55 tion. either in latency or throughput 

In accordance with the invention, a single crypto- 
graphic engine is used for cryptographic processing 
in both directions between the client interface and the 
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communication network, without significant effect on 
latency or throughput of the device. Although this goal 
may seem impossible to achieve with a single crypto- 
graphic engine, it proves to be possible if the protocol 
used for access to the communication medium in the 5 
client interface is a half-duplex medium, such as 
Ethernet, employing a protocol commonly referred to 
as Carrier Sense Multiple Access with Collision De- 
tection (CSMA/CD). Under the CSMA/CD rules for ac- 
cess to a network bus or cable, any station wishing to io 
transmit must first "listen" to make sure that the cable 
is dear before beginning to transmit. All stations on 
the network have equaJ priority of access and may be- 
gin transmitting as soon as the line is clear and any 
required inter-packet delay has elapsed. However, if 15 
a first station that has started transmitting detects a 
"collision" with a transmission from another station, 
the first station continues transmitting fore short time 
to make sure that all stations wishing to transmit will 
detect the collision. Then the first station terminates 20 
transmission for some random period of time. Other 
stations involved in the collision do the same thing, 
also selecting a random, and therefore usually differ- 
ent, delay time before trying transmission again. 

The natureof the CSMA/CD rules for network ac- 25 
cess are such that full-duplex transmission, i.e. trans- 
mitting and receiving at the same time, is not possible. 
If a station is receiving a message, the netwcwk is 
busy and a transmission cannot be started, from this 
or any other station. Similarly, if a transmission is in 30 
progress from this station, no message can be re- 
ceived at the same time, since no other sending sta- 
tion can gain access to the network while this station 
is sending a message. Therefore, the nature of oper- 
ation of an Ethernet or other CSMA/CD station is half- 35 
duplex, l^e, messages can be both transmitted and re- 
ceived, but because of the nature of the network ac- 
cess rules, not at the same time. This characteristic 
of Ethernet and CSMA/CD is used in the present in- 
vention, specifically in the client interface, to provide 40 
bidirectional transmission of messages through a sin- 
gle cryptographic engine, without any degradation in 
latency or throughput as compared with a device us- 
ing two cryptographic engines. It will be apparent, 
however, that the invention is not limited to use with 45 
CSMA/CD. and will operate equally well with any half- 
duplex communication medium. 

FIG. 1 shows the device of the embodiment in 
simplified block diagram form, connected between a 
client interface, indicated by reference numeral 10, 50 
and a communication network 12. In this specifica- 
tion, aspects of the device relating to the client inter- 
face are sometimes referred to as being on the "client 
side" of the device, and aspects relating to the com- 
munication network are sometimes referred to as be- 55 
ing on the "network side." The relevant components 
of the device include a client receive machine 14, des- 
ignated RxC, a client transmit machine 1 6, designated 



TxC, a network receive machine RxN 18, a network 
transmit machine TxN 20, a single cryptographic en- 
gine 22, a buffer memory 24, a client transmit FIFO 
memory 26, a receive parser 28 and a transmit parser 
30. 

These components are connected in various log- 
ical configurations depending on the type of traffic be- 
ing handled at a particular time. Although all of the 
data paths to be described pass through the buffer 
memory 24, there are two direct logical paths that 
make use of the buffer memory as part of each data 
path, and not for data packet storage. First, there is a 
direct logical path from the client interface 10 to the 
network cable 12. This path includes a line 32 from 
the client interface 10 to the client receive machine 
1 4, a line 34 from the client receive niachine to the net- 
work transmit machine 20 (by way of the buffer mem- 
ory 24), and a third line 36 from the network transmit 
machine to the network cable 12. Similarly, there is 
another direct logical path from the communication 
network 12 to the client interface 10, including a line 
38 from the communication network to the network re- 
ceive machine 18, a line 40 from the network receive 
machine to the client hransmit FIFO memory 26 (by 
way of the buffer memory 24), another line 42 from 
the FIFO memory to the client transmit machine 16, 
and a further line 44 from the client transmit machine 
to the client interface 10. The buffer menrK)ry 24, 
which is actually three logically separate memories, is 
connected by a data bus 46 to the "outbound" data 
path along line 34, and to the "intx)und" data path 
along line 40. 

It will be understood from the foregoing descrip- 
tion of data paths that the buffer memory 24 serves 
both to store data packets when they can not be im- 
mediately transmitted, and to pass data immediately, 
without storing the entire packet While both these ac- 
tions might technically involve "storing" data in the 
memory, in this specification the word "storing" is re- 
served for the situation in which an entire data packet 
is held for later forwarding onto the communication 
network or the client interface. When a data packet 
passes through the buffer memory in a "cut-through" 
mode of operation, a packet is already being transmit- 
ted from the memory while portions of it are still ar- 
riving at the memory. 

The key to apparently simultaneous processing 
of bidirectional traffic is best explained with reference 
to the data flow diagram of FIG. 2. A data packet re- 
ceived from the dient interface 1 0 is always parsed as 
it is received, by the receive parser 28, and Is crypto- 
graphically processed by the engine 22 if this is de- 
termined to be necessary from the parsing process- 
ing in the receive parser 28. Then, the data packet, 
whether or not encrypted, is stored in the buffer mem- 
ory 24 as long as is necessary to wait for access to 
the communication network 12. In contrast, a data 
packet received from the communication network 12 
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is not immediately parsed or cryptographically proc- 
essed, but is directed first to the buffer memory 24 for 
temporary storage. Normally, the dient interface will 
- be available, and the packet will be immediately re- 
trieved from the buffer memory. In fact the packet will 5 
normally be transmitted to the client interface while it 
is still being received from the communication net- 
work 12. This is known as "cut-through" operation, as 
contrasted with "store-and-forward" operation, when 
the entire packet is left in temporary storage if the cli- io 
ent interface is unavailable. In any event, when the cli- 
ent interface is available, or later becomes available, 
the packet is fed from the buffer memory 24, is parsed 
by the transmit parser 30, is cryptographically proc- 
essed by the engine 22, if needed, and eventually Is is 
forwarded onto the client interface 10. The crypto- 
graphic engine 22, when its use is called for. is going 
to be either processing a data packet that is being re- 
ceived from the client interface 10, or processing a 
data packet that is being transmitted to the client in- 20 
terface. These two functions of the engine 22 can nev- 
er be required at the same time because parsing and 
possible cryptographic processing of the outbound 
packet would not be started if the client Interface were 
already busy delivering a data packet to the device. 25 

More specifically, a data packet received from the 
communication network 12 by the network receiver 
18 is passed directly to the buffer memory 24. If there 
Is currently no packet being transmitted or received 
on the client interface 10, the packet is passed to the 30 
client transmit FIFO memory 26 and, in parallel, is 
parsed by the transmit parser 30. If necessary, from 
the appropriate byte, as determined by the parser, the 
data is passed through the cryptographic engine 22 
before being passed to the client transmit FIFO menrv 35 
ory 26. Finally, the client transmit machine 16 draws 
data from the client transmit FIFO memory 26 and 
transmits a data packet onto the client interface 10. 

When a packet received from the communication 
network 12 enters the buffer memory 24, if there is 40 
currently a jacket being received from the client net- 
work 10, but there are no pending packets to t>e trans- 
mitted to the client interface, the beginning portion of 
the packet wfll be transferred to the client transmit 
FIFO memory 26 as though it were about to be trans- 45 
mitted, and parsing of the beginning portion will be 
performed. However, no cryptographic processing 
will be started, and the client transmit machine 1 6 will 
not draw data from the client transmit FIFO rnemory 
26 because the client interface will be seen to be still 50 
busy. When the dient transmit FIFO memory be- 
comes full, no more data will be transferred until the 
actual transmission begins and the dient transmit ma- 
chine 16 begins drawing data from the client transmit 
FIFO memory. This preloading of the FIFO memory 55 
ensures that the device can meet a required inter- 
packet gap between receptions and transmissions on 
the client interface, and that no unnecessary laten- 



cies are incurred. The FIFO memory ensures that 
there is no "underrun" of data being transmitted when 
the cryptographic engine 22 t>egins operating and un- 
til it processes the first block of data and the engine's 
"pipeline" of data reaches a steady state. 

FIG. 3 shows the device of the invention in more 
detail. Components shown in FIG. 3 but not in the sin> 
plif led diagrams of FIGS. 1 and 2, indude a memory 
controller 50 to control the buffer memory 24, dient 
receive control logic (CRCTL) 52, dient transmit con- 
trol logic (CTCTL) 54, packet control logic 56, four di- 
rect menx)ry access units (CRDMA 57, NTDMA 58, 
CTDMA 60 and NRDMA 62), and three additional 
FIFO memories (CRFIFO 64. NTFIFO 66 and NRFI- 
FO 68). The functions of these additional components 
will now be briefly explained. 

The dient receive control logic CRCTL 52 con- 
trols receive operations on the dient side of the de- 
vice, induding coordination of operations of the re- 
ceive parser 28 and the cryptographic engine 22. The 
client transmit control logic CTCTL 54 controls trans- 
mit operations on the dient side of the device, indud- 
ing coordination of operations of the transmit parser 
30 and the cryptographic engine 22. The additional 
FIFO memories 64. 66, 68 are relatively small mem- 
ories, the primary purpose of which is to provide buf- 
fers for efficient operation of the data bus 46, The 
DMA units 57. 58. 60, 62 provide a conventional DMA 
function to access the buffer memory 24. The mem- 
ory controller 50 directs buffer memory operations 
and related operations on the data bus 46. Finally, the 
packet control logic 56 regulates data flow to and from 
the client and network sides of the device, in such a 
manner as to minimize data buffering requirements. 

For outbound data flow, from the dient side to the 
network side of the device, parsing is performed (in 
the receive parser 28) on an incoming data packet at 
the same time that the packet is being transferred 
over the data bus 46 to the buffer memory 24. When 
the receive parser 28 detects that cryptographic proc- 
essing is required on the packet, the parser notifies 
the client receive control logic CRCTL 52, which, at an 
appropriate time, begins directing data from the dient 
receive machine 14 into the cryptographic engine 22. 
After cryptographic processing, the data packet is 
stored in the buffer memory 24. When the network 
side of the device is able to accept a data packet, 
based on the availability of the network, the packet 
control logic 56 direct: the network transmit machine 
20 to begin transmitting, and data will transfer from the 
buffer memory 24 to the network transmit machine 
and out onto the communication network. This oper- 
ation, which is referred to as cut-through, can take 
place simultaneously with continuing reception of 
data from the dient side of the device. 

Inbound data flow, from the network side to the 
client side of the device, is not immediately parsed, 
but is transferred directly from the network receive 
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machine 18 to the buffer memory 24. When the client 
side of the device becomes available, the packet con- 
trol logic 56 instructs the client transmit control logic 
54 to begin transmitting to the client, and this opera- 
tion can take place simultaneously with reception of 5 
data from the network side. As a packet of data is be- 
ing sent to the client transmit FIFO 26, it is simultane- 
ously parsed by the transmit parser 30. Once the 
transmit parser 30 detects that a cryptographic oper- 
ation Is required, it notifies the dient transmit control io 
logic 54, which directs data flow, at an appropriate 
time, through the cryptographic engine 22, from which 
the data packet flows through the client transmit FIFO 
26 and onward to the client interface. 

In addition to inbound data packets and outbound 15 
data packets, the device also handles loopback data 
packets, which are packets of data received from and 
returned to the client side of the device, usually after 
cryptographic processing. A loopback function is pro- 
vided to client devices to permit "local" cryptographic 20 
processing of data packets. Loopback operation pro- 
vides cryptographic services, such as file encryption 
to the client. The loopback function will also be need- 
ed, for example, if an inbound packet of data is inad- 
vertently decrypted when it should not have been, or 25 
if an inbound packet should have been decrypted but 
was not. Basically, the loopback function provides cli- 
ent access to cryptographic processing of data pack- 
ets that are not outbound packets. Loopback packets 
received from the client side of the devfce are handled 30 
in much the same way as outfc)ound packets. They are 
parsed on their way to the buffer memory 24, but are 
stored in a loopback buffer of the buffer memory, in- 
stead of an outbound buffer. When it is time to send 
the loopback packet back to the dient, i.e. when the 35 
dient side is available and it is the loopback packet's 
turn to be transmitted, the packet is sent directly back 
to the dient. with no additional processing. 

The specific parsing jprocedures followed in the 
receive parser 28 and the transmit parser 30 are high- 40 
ly dependent on network protocols and specific data 
packet formats employed, and are not considered to 
be part of the present invention. Parsing simply in- 
volves scanning header information in a data packet 
to determine whether cryptographic processing is 45 
needed for the packeL The dient device is required to 
indicate in the header whether or not cryptographic 
processing is required. When the receive parser 28 
detects a header field that indicates cryptographic 
processing is required, an appropriate part of the data 50 
packet is diverted through the cryptographic engine 
22. The parser 28 may be designed to recognize more 
tha n one different packet format, and to detect in each 
format a code indicating that cryptographic process- 
ing is required. Parsing also includes determining the 55 
starting point in the packet at which cryptographic 
processing is to begin. Cryptographic processing 
may, for example, indude encrypting a designated 



portk)n of the data frame in accordance with the Data 
Encryption Standard, or computing a frame check se- 
quence (or checksum), referred to as an integrity 
check value (ICV), to append to the data packet, or 
both. 

The transmit parser 30 determines which packets 
that are intx>und from the network side are to be cryp- 
tographically processed. The parsing function is 
again one of scanning through data frame header in- 
formation.and making the determination based on 
this header Information. If cryptographic processing 
is required for an inbound packet, an appropriate por- 
tion of the packet is diverted through the cryptograph- 
ic engine 22. Processing of inbound packets usually 
involves decryption, or simply recomputation of the 
frame check sequence to ensure the integrity of the 
data. 

It will be appreciated from the foregoing that the 
present invention represents a significant advance in 
the field of cryptographic processing for network 
communication. In particular, the invention provides a 
less complex approach to cryptographic processing 
of message traffic passing between a network and a 
client device, using a single cryptographic engine, but 
without introducing additional latency, and without af- 
fecting processing throughput It will also be appreci- 
ated that, although an embodiment of the invention 
has been described in detail for purposes of illustra- 
tion, various modifications may be made without de- 
parting from the spirit and scope of the Invention. Ac- 
cordingly, the invention is not to be limited except as 
by the appended claims. 



Claims 

1. A method for cryptographic processing of data 
outbound from a half-duplex client interface to a 
communication network, and intx>und from the 
communication network to the dient interface, 
using cryptographic engine means, the method 
comprising the steps of : 

cryptographically processing using an 
only cryptographic engine, if necessary, out- 
bound data packets as they are received from the 
client interface; 

cryptographically processing using said 
only cryptographic engine, if necessary, inbound 
data packets as they are transmitted onto the di- 
ent interface; and 

storing inbound and outbound data pack- 
ets in temporary buffer storage, as needed, be- 
fore forwarding; 

whereby only a single cryptographic en- 
gine is needed tjecause the client interface can- 
not handle an outbound packet and an inbound 
packet at the same time. 
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2. A method as defined in claim 1 , and further com- 
prising the steps of: 

parsing each outbound data packet imme- 
diately prior to cryptographic processing^ to de- 
termine whether processing is necessary and to 5 
determine the type of processing to be per- 
formed; and 

parsing each inbound data packet imme- 
diately prior to cryptographic processing, to de- 
termine whether processing is necessary and to io 
determine the type of processing to be per- 
formed. 

3. A method as defined in claim 1 , wherein the step 

of storing Inbound and outbound packets in tem- is 
ponary buffer storage Includes: 

storing inbound packets if the client inter- 
face is unavailable; and 

storing outbound packets if the communi- 
cation network is unavailable. 20 

4. A method as defined in claim 3, and further conrv 
prising the steps of: 

receiving a loopback packet from the client 
interface; 25 

immediately parsing and cryptograph ically 
processing the loopback packet, if necessary; 
and 

storing the loopback packet if the client in- 
terface is unavailable. 30 

5- A method for cryptographic processing of data 
outbound from a half-duplex client interface to a 
communication network, and intx)und from the 
communication network to the client interface, 35 
using only a single cryptographic engine, the 
method comprising the steps of: 

receiving inbound data packets from a 
communication network; 

determining for each received packet 40 
whether a client interface is available; 

if the client interface is unavailable, storing 
the inbound data packet until the client interface 
t>ecomes available, then retrieving the packet; 

parsing the packet to determine whether it 45 
should be cryptograph ically processed, using a 
single cryptographic engine cryptograph ically 
processing the data packet if necessa.ry. and 
transmitting the packet onto the client interface; 

receiving outbound data packets from the so 
client interface; 

■ parsing each packet as it is received from 
the client interface; 

using said single cryptographic engine 
cryptograph ically processing each packet re- 55 
ceived from the client interface if processing is 
determined to be necessary by the preceding 
parsing step; 



determining whether the communication 
network is availat>le; 

if the communication network is unavail- 
able, storing the each outbound data packet until 
the communication network becomes available, 
then retrieving the outbound data packet; and 

bBnsmitting the outbound data packet 
onto the communication network; 

whereby a single cryptographic engine is 
sufficient to perform the steps of cryptograph i- 
cally processing the data, because cryptographic 
processing of outbound packets is performed as 
the packets are received from the client Interface, 
and processing of inbound packets is performed 
as the packets are transmitted to the client inter- 
face, but half-duplex operation of the client inter- 
face precludes the possibility of t>oth these func- 
tions occurring at the same time. 

6. A method as defined in claim 5, and further corrv 
prising the steps of: 

receiving a loopback packet from the client 
interface; 

immediately parsing and cryptograph ically 
processing the loopback packet, if necessary; 
and 

storing the loopback packet if the client in- 
terface ts unavaOable. 

7. A method as defined in claim 5, and further com- 
prising, prior to transmitting a packet onto the cli- 
ent interface, the steps of: 

parsing a portion of the packet before the 
client interface becomes available; 

storing the parsed portion of the packet in 
a first- in-first-out buffer, to be ready to transmit; 

retrieving data from the first-in-first-out 
buffer when the dient interface becomes avail- 
able; and 

beginning transmission of the retrieved 
data onto the client interface while additional data 
of the same packet is stored and retrieved in the 
first- in -first-out buffer. . 

8. Apparatus for cryptographic processing of data 
outbound from a half-duplex client interface to a 
communication network, and int>ound from the 
communication network to the dient interface, 
using only a single cryptographic engine, the ap- 
paratus comprising: 

a single cryptographic engine, for crypto- 
graphically processing, if necessary, outbound 
data packets as they are received from the client 
interface and, if necessary, inbound data packets 
as they are transmitted onto the client interface; 
and 

buffer storage means for storing, as need- 
ed, inbound and outbound data packets before 
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9. Apparatus as defined in da'im 8, and further com- 
prising: 

means for parsing each outbound data 
packet immediately prior to cryptographic proc- 
essing, to determine whether processing is nec- 
essary and the type of processing to be per- 
formed; and 

means for parsing each inbound data 
packet immediately prior to cryptographic proc- 
essing, to determine whether processing is nec- 
essary and the type of processing to be per- 
formed. 



forwarding; 

whereby only a single cryptographic en- 
gine is needed because the client interface can- 
not handle an outbound packet and an inbound 
packet at the same time. 



apparatus as defined in daim 9. wherein the buf- 
er storage means includes: 

means for storing inbound packets if the 
Went interface is unavailable; and 

means for storing outbound packets if the 
ommunication network is unavailable. 
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20 



ets from the client interface; 

means for parsing each data packet as it 
is received from the client interface, and for for- 
warding each packet for processing in the cryp- 
tographic engine, if necessary; 

means for determining whether the com- 
munication network is available; 

means for storing each outbound data 
packet if the communication network is unavail- 
able; 

means operable when the communication 
network becomes available, for retrieving a stor- 
ed data packet and transmitting it onto the conv 
munication network; 

whereby a single cryptographic engine is 
sufficient to perform cryptographic processing of 
the data, because cryptographic processing of 
outbound packets fe performed as the packets 
are received from the client interface, and proc- 
essing of inbound packets is performed as the 
packets are transmitted to the client interface, but 
half-duplex operation of the client interface pre- 
cludes the possibility of both these functions oc- 
curring at the same time. 



25 
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11. Apparatus as defined in claim 10. and further 
comprising: 

means for storing a Ioopt>ack data packet 
received from the client interface and crypto- 30 
graphically processed as needed in the crypto- 
graphic engine, until the client interface is avail- 
able. 

1Z Apparatus for cryptographic processing of data 35 
outbound from a half-duplex client interface to a 
communication network, and intwund from the 
communication network to the client interface, 
using only a single cryptographic engine, the ap- 
paratus comprising: 40 

means for receiving inbound data packets 
from a communication network; 

means for determining whether the client 
interface is available; 

means for storing each inbound data pack- 45 
et if the client interface is unavailable; 

means operable when the client interface 
becomes available, for retrieving a stored data 
packet; 

means for parsing the inbound packet to 50 
determine whether it should be cryptographically 
processed; 

a cryptographic engine, operable to cryp- 
tographically process the inbound data packet if 
necessary; 55 

means for transmitting the inbound data 
packet onto the client interface; 

means for receiving outbound data pack- 



13. Apparatus as defined in claim 12. and further 
comprising: 

means for storing a loopback data packet; 

and wherein the means for receiving and 
parsing outbound packets also serve to receive 
and parse loopback packets as received from the 
client interface, and the cryptographic engine 
also serves to cryptographically process loop- 
back packets, as necessary. 

14. Apparatus as defined in claim 13, and further 
comprising: 

a high-speed data bus providing bidirec- 
tional access to the means for storing data pack- 
ets. 

15. Apparatus as defined in claim 12, and further 
comprising: 

a first-in-first-out buffer, for storing a por- 
tion of an inbound data packet prior to its trans- 
mission onto the client interface; 

means for initiating parsing of a portion of 
the packet before the client interface becomes 
available, wherein the parsed portion of the pack- 
et is stored in the first- in-first-out buffer, to be 
ready to transmit; and 

means for retrieving data from the first- in- 
first-out buffer when the client interface becomes 
available, and beginning transmission of the re- 
trieved data onto the client interface while addi- 
tional data of the same packet is stored and re- 
trieved in the first-in-first-out buffer. 
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